A number of big employers in the US have implemented vaccine mandates, including Microsoft, United Airlines, Google, Walmart and others. However, UK and European law is quite different and in general does not permit measures of this kind.
The UK government may have given the impression that processing the COVID vaccination status and test results of staff is approved in a formal sense, but this is not the case.
Encouraging staff to get vaccinated is fine but checking whether they have been isn’t acceptable under data protection law. Regular testing remains acceptable but must comply with strict privacy and security rules.
HR's need-to-know on vaccines & the workplace:
September will see many teams heading back to the office and companies have to navigate the guidance along with the mix of staff who are and aren’t vaccinated, some of whom aren’t vaccinated by choice.
Employers seeking to collect the vaccination status of staff, or to impose screening checks, should follow these simple rules to stay on the right side of the law.
Do not collect, process or record information where possible
By verbally requesting a vaccination status, visually checking a COVID test or looking at but not scanning the NHS app, companies can avoid the implications of data protection law. But they might be in breach of the Equality Act if they exclude non-vaccinated staff.
Be careful not to record information inadvertently by creating a list of people who don’t need daily testing because they’re vaccinated, or a list of those who can’t come into the office because they aren’t.
Those would be considered records of vaccination status, which is protected medical data.
Consent is needed to collect a vaccination status
Employee consent is difficult to obtain safely. Legal precedent suggests employees may feel coerced – so companies have to be very careful to demonstrate that refusing consent has no adverse effects on the employee.
Evidence of a negative test is appropriate but short-lived
The Information Commissioner’s Office presently supports the view that under Health and Safety regulation and providing a safe working environment it is appropriate to ask for negative COVID tests. But companies must be careful not to exempt the vaccinated from testing.
Employers may make the tests compulsory and record the results. A negative test only has value for a short time and 72 hours seems to be the consensus. There is no need to retain the result for any longer than that and employers should delete the data at that point.
Those testing daily don’t need to record data at all, since anyone with a positive result will not be admitted and everyone will be re-tested the next day.
Positive tests can be recorded
If someone calls in sick with a positive test this can be recorded as part of their employment file. We encourage employers to minimise what they record. It’s important that the employee who tested positive is not identified to others.
If two or more employees test positive, this must be reported to Public Health England or the appropriate public health authority.
Recorded medical data is subject to a higher standard of protection
Medical data is considered more sensitive than other personal data. Companies must ensure medical data is properly protected, this includes minimising access to it and applying additional levels of security such as encryption or pseudonymisation.
The NHS app is designed with a QR code encouraging the viewer to scan it for verification. However, even if you record nothing just the act of verification counts as data processing and means that data protection law comes into play.
Employers should be very careful about the basis for requesting medical information. Vaccination is not an absolute barrier to transmission so asking for a vaccination status cannot be justified on the basis of ensuring a safe workplace.
It is doubtful that there is a legal basis for preventing unvaccinated staff from coming to work.
There are certainly difficulties in processing the related data lawfully, as the European Data Protection Supervisor (EDPS) has made clear. Although the EDPS is no longer directly binding on the UK, our law is identical to it.
Ben Rapp is founder and principal at Securys